[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Does PAM support virtual users?



Hi,

The clear implementation of virtual user support was one of my aims
when I started a project named PNIAM.
It accumulates PAM advantages and in additional
allows to pass information from modules to applications.
According to PNIAM API applications must take UID, home directory
and other information about authenticated user from modules.
It solves the problem of virtual users for mail, www, and ftp services.

Starting PNIAM implementation I first of all think about
clearness, robustness, and thread safety.
I can't consider the existing NSS implementation in glibc as
a reliable solution.

PNIAM code is at the very beginning.
LDAP module for PNIAM isn't exist yet.
However you may wish to look at the sources and the documentation
        http://www.msu.ru/pniam/pniam.html
        ftp://ftp.nc.orc.ru/pub/Linux/pniam/pniam-0.01.tgz

Best wishes
					Andrey V.
					Savochkin


On Mon, Dec 07, 1998 at 04:21:46PM +0000, Jochen Wiedmann wrote:
> Nalin Dahyabhai wrote:
> 
> > Under glibc, what happens when an application calls functions like
> > getpwnam() and getpwuid() etc. is entirely configurable.  Under the
> > covers, glibc calls a series of modules in much the same way libpam
> > does.  Just which modules are queried is configured in /etc/nsswitch.conf.
> > The glibc info pages on the Name Service Switch are very helpful here.
> 
> That sounds exactly like what I want! I have read the glibc info pages on
> NSS and have started to study the nss_ldap sources, but they look really
> complicated, in particular I am puzzled about the excpected "reentrancy" of
> the module although the functions do not return or receive something like
> a "private data handle". Are there any other sources for information,
> preferrably some other examples?
> 
> 
> > The disadvantage of "virtual" users is that I can't see any way to do it
> > withouth hacking each program that needs to support them one by one.
> 
> Using an appropriate nss module would exactly fill my needs. The only
> difference I can see is that I prefer a common UID for all mail only
> users.
>  
> 
> > Forcing multiple users to the same UID is also a problem because there's
> > no way to get the name back based on just the UID, which I suspect most
> > software will want to do at some time or another.
> 
> I am not interested in most software, but precisely sendmail, procmail and
> imapd. :-)



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []